b'Audit\nReport\n     IMPLEMENTATION OF DOD INFORMATION SECURITY\n        POLICY FOR PROCESSING ACCOMPLISHED AT\n        DEFENSE ENTERPRISE COMPUTING CENTERS\n\n\n\nReport No. D-2001-183                  September 19, 2001\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAIS                   Automated Information System\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                         Communications, and Intelligence)\nC and A               Certification and Accreditation\nCIO                   Chief Information Officer\nDAA                   Designated Approval Authority\nDISA                  Defense Information Systems Agency\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nGAO                   General Accounting Office\nGISRA                 Government Information Security Reform Act\nIATO                  Interim Authority to Operate\nIT                    Information Technology\nISSO                  Information Systems Security Officer\nOMB                   Office of Management and Budget\n\x0c\x0c\x0c                      Office of the Inspector General, DoD\nReport No. D-2001-183                                              September 19, 2001\n  (Project No. D2001AD-0071)\n\n         Implementation of DoD Information Security Policy for\n            Processing Accomplished at Defense Enterprise\n                          Computing Centers\n\n                               Executive Summary\n\nIntroduction. Public Law 106-398, \xe2\x80\x9cGovernment Information Security Reform,\xe2\x80\x9d\ntitle X, subtitle G, FY 2001 Floyd D. Spence National Defense Authorization Act,\nrequires that each agency obtain an independent assessment of its security posture. The\nInspector General of each agency is to evaluate the agency\xe2\x80\x99s security posture based on a\nreview of an independently selected subset of systems.\n\nThe DoD uses information technology for thousands of processes that are integral to\nsupport and operational functions. Mission-critical, mission-essential, and support-\nfunction processes, or applications, reside on computer systems in Defense Enterprise\nComputing Centers and Detachments, which are part of the Defense Information\nSystems Agency. Customer applications from all DoD Components include financial\naccounting; personnel; pay and disbursement; materiel shipping, receiving, and storing;\nmunitions maintenance; and weapon-systems-associated applications.\n\nThe Office of the Inspector General, DoD, identified its independent subset of systems\nas the 1,365 unique-name applications resident on the Defense Enterprise Computing\nCenters and Detachments as of February 2001. From that population, the Office of the\nInspector General selected a random sample of 90 applications. The Army Audit\nAgency evaluated 34 applications, the Air Force Audit Agency evaluated 19, and the\nOffice of the Inspector General evaluated 37, which served the Navy, the Defense\nLogistics Agency, and the Defense Accounting and Finance Service. The evaluations\ndid not include the security measures exercised for the Defense Enterprise Computing\nCenters\xe2\x80\x99 and Detachments\xe2\x80\x99 computer hardware, executive software, or other support\ncomponents.\n\nObjectives. The overall audit objective was to respond to the requirements of the\nGovernment Information Security Reform Act, title X, subtitle G of the FY 2001\nFloyd D. Spence National Defense Authorization Act (Public Law 106-398).\nSpecifically, we selected a subset of DoD information technology to determine whether\nmanagers for that information technology had implemented DoD information security\npolicy.\n\nResults. DoD managers had not fully implemented DoD information security policy.\nWritten, current certifications and accreditations were not available for applications\nestimated at more than 60 percent of the population. Certification and accreditation are\n\x0cthe technical evaluation of security features of an application or system and the formal\ndeclaration to operate the application or system. The status of systems for certification\nand accreditation was estimated for the population of 1,365 applications from the\nDefense Enterprise Computing Centers and Detachments as follows:\n\n                                                                             Projected     Percent\n                                                                              Results    of Population\n\nCurrent Certification and Accreditation or\n   Interim Authority to Operate                                               501             36.7\nIndeterminate: retired, transferred, insufficient detail\n   available to find authority to operate status                              410             30.0\nOther technology with no Certification and Accreditation\n   or Interim Authority to Operate                                            137             10.0\nExpired Certification and Accreditation or\n   Interim Authority to Operate                                                30              2.2\nNo Certification and Accreditation or Interim Authority\n   to Operate or Certification only                                           288             21.1\n      Total                                                                  1,3661           100.0\n\nAs a result of incomplete policy implementation, DoD managers assumed risks that\nwere not fully identified, assessed, accepted, and managed as a result of a deliberative\nprocess. Unmanaged information security risk may lead to loss of service, data\ncorruption, unauthorized access, sabotage, tampering, misuse, and fraud in DoD\ninformation technology resources. For details of the audit results, see the Finding\nsection of the report.\n\nSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) define information\nsystems terminology to clearly and comprehensively assign responsibility, and use\nmeasurement tools developed in response to Public Law 106-398 to evaluate guidance\nand rectify omitted, obsolete, and confusing policy. We recommend that the Chief\nInformation Officers of the Army, the Navy, the Air Force, the Defense Finance and\nAccounting Service, and the Defense Logistics Agency use information gathered in\nresponse to the Public Law to allocate resources and improve programs. We also\nrecommend that the Chief Information Officers coordinate security efforts with the\nDefense Information Systems Agency, identify security officials, and oversee internal\nprocedures to provide information security for processing accomplished jointly. We\nfurther recommend that the Director, Defense Information Systems Agency, establish a\nmonitoring process and a performance goal for tracking customer certifications and\naccreditations and identifying information security personnel for all customers by the\nFY 2002 Government Information Security Reform reporting period.\n\n1\n    The projected results do not add up to the population due to rounding.\n                                                      ii\n\x0cManagement Comments. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) stated that the out-of-date security policies that we\ncited in our report were being updated and will be reissued in October 2001 and early\n2002. In addition, the Assistant Secretary stated that the report oversimplified in\nattributing DoD information security deficiencies to a lack of definition for systems and\napplications and unclear guidance. The Army, the Air Force, and the Defense\nLogistics Agency concurred with the recommendations to use information gathered in\nresponse to the public law to allocate resources and improve programs and to\ncoordinate information security efforts for applications and other informational\ntechnology with service providers. The Defense Information Systems Agency\nconcurred with coordinating information security efforts with customers to obtain their\nstatements of approval to operate when beginning service arrangements and with\nmaintaining a resource listing of officials responsible for information security for each\ncustomer of the Defense Enterprise Computing Centers and the Detachments. The\nDefense Information Systems Agency nonconcurred with establishing a monitoring\nprocess and performance goal for the Defense Enterprise Computing Centers\xe2\x80\x99\ninformation security documentation and personnel. Although the Defense Finance and\nAccounting Service concurred with the recommendations, we received management\xe2\x80\x99s\ncomments too late to be included in this final report. We will consider those comments\nas management\xe2\x80\x99s response to the final report unless management submits additional\ncomments. The Navy did not provide management comments. A discussion of the\nmanagement comments is in the Finding section of the report and the complete text is in\nthe Management Comments section.\n\nAudit Response. Current and clear guidance from the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence), although not a guarantee of\nadherence, is a prerequisite for effective implementation and oversight of information\nsecurity. Also, the Assistant Secretary did not specifically comment on the\nrecommendations on defining information systems technology to clearly assign\nresponsibility and on using measurement tools developed in response to Public\nLaw 106-398 to evaluate guidance and rectify omitted, obsolete, and confusing policy.\nThe Defense Information Systems Agency should establish a monitoring process\nbecause information security is a shared responsibility in which the Defense\nInformation Security Agency has a critical role for its customers. Without current\ninformation about its customers and their security status, the Defense Information\nSecurity Agency could put all customers at increased risk. The comments from the\nArmy, the Air Force, the Defense Logistics Agency, and the Defense Finance and\nAccounting Service were adequate and additional comments are not required. We\nrequest that the Assistant Secretary of Defense (Command, Control, Communications\nand Intelligence), the Chief Information Officer of the Navy, and the Defense\nInformation Systems Agency provide comments on their respective recommendations\nby October 19, 2001.\n\n\n\n\n                                           iii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\nIntroduction\n     Background                                                           1\n     Objectives                                                           2\n\nFinding\n     Implementation of DoD Information Security Policy                    3\n\nAppendixes\n     A. Audit Process\n          Scope                                                          15\n          Methodology                                                    16\n     B. Prior Coverage                                                   19\n     C. Sample Application Results                                       20\n     D. Report Distribution                                              27\n\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,   29\n       and Intelligence)\n     Army                                                                31\n     Air Force                                                           33\n     Defense Information Systems Agency                                  35\n     Defense Logistics Agency                                            39\n\x0cBackground\n    General Provisions of Government Information Security Reform. On\n    October 30, 2000, the President signed the FY 2001 Defense Authorization Act,\n    (Public Law 106-398) that included title X, subtitle G, \xe2\x80\x9cGovernment\n    Information Security Reform Act,\xe2\x80\x9d (GISRA). Subtitle G provides for ensuring\n    effective controls for highly networked Federal information resources,\n    management and oversight of information security risks, a reporting mechanism\n    for improved information system security oversight, and assurance for Federal\n    information security programs. The GISRA directs each Federal agency (the\n    DoD for purposes of this report) to evaluate its information security program\n    and practices annually and, as part of the budget process, submit the results to\n    the Office of Management and Budget (OMB). The GISRA covers unclassified\n    and national security systems and creates the same management framework for\n    each.\n\n    DoD and Inspector General Provisions of GISRA. The GISRA establishes\n    parallel requirements for the agency and the agency Inspector General. It\n    requires DoD to annually evaluate its information security program and\n    practices and confirm their effectiveness by testing a subset of systems. GISRA\n    requires the Office of the Inspector General to also evaluate the DoD\n    information security program and practices and to independently select and test\n    a subset of systems to confirm information security program effectiveness.\n\n    The DoD Information Technology Universe. The DoD has thousands of\n    information technology (IT) processes that comprise its IT universe. Those\n    processes can be categorized according to a variety of criteria; for example,\n    function, criticality, and owner or operator. Two categories, or populations,\n    identified in DoD for the FY 2001 GISRA report were the IT Registry systems\n    and the processes supported by the Defense Enterprise Computing Centers (the\n    Centers), for which DISA billed its customers. Those processes or applications\n    that are Center supported may also be on the IT Registry database, though not\n    all are.\n\n              IT Registry Database of Systems. The IT Registry database is\n    required by title VIII, subtitle B, \xe2\x80\x9cInformation Technology,\xe2\x80\x9d section 811,\n    \xe2\x80\x9cAcquisition and Management of Information Technology,\xe2\x80\x9d Public\n    Law 106-398. All mission-critical and mission-essential IT systems must be\n    registered with the DoD Chief Information Officer (CIO) before they can be\n    funded. The IT Registry database requires 17 data fields, including system\n    name, description, functional area, and program manager information. As of\n    April 2001, 3,739 IT systems were registered in the IT Registry database.\n\n             Center-Supported Applications. The Centers and Detachments of the\n    Defense Information Systems Agency (DISA) provide general support systems,\n    including mainframe computers, minicomputers, and local area networks for its\n    customers\xe2\x80\x99 applications. Each Center operates under the control of the Center\n    commanding officer, with system security functions accomplished by the\n    designated security manager and the information systems security manager. The\n    DISA has five Centers that are located in Mechanicsburg, Pennsylvania;\n                                       1\n\x0c     Columbus, Ohio; St. Louis, Missouri; Oklahoma City, Oklahoma; and Ogden,\n     Utah. In addition, there are Detachments or satellite sites at 14 other locations.\n     The Center customers are the Military Departments and other Defense agencies\n     with installations throughout the United States. The customer applications that\n     the Centers and Detachments run to support DoD installations include financial\n     accounting; personnel; pay and disbursement; materiel shipping, receiving, and\n     storing; munitions maintenance; and weapon-systems-associated applications.\n     DISA bills the customers for running 4,939 applications.\n\n     The Subset Selected by the Office of the Inspector General. The Office of\n     the Inspector General, DoD, identified its independent subset of systems as the\n     applications supported by the Centers and Detachments of DISA. Analysis of\n     the 4,939 applications identified 1,365 items based on unique names that became\n     the source of the subset sample. The random sample included applications\n     supporting multiple DoD Components, installations, and functions. The Army\n     Audit Agency evaluated 34 applications and the Air Force Audit Agency\n     evaluated 19 applications supporting their respective Components. The Office\n     of the Inspector General, DoD, evaluated the balance of 37 applications, which\n     supported the Navy, the Defense Finance and Accounting Service, and the\n     Defense Logistics Agency. The evaluation did not include the Centers\xe2\x80\x99 and\n     Detachments\xe2\x80\x99 security measures exercised for the computer hardware, executive\n     software, or other components of Center support.\n\n     The DoD Information Security Program. The primary document establishing\n     the DoD information security program is DoD Directive 5200.28, \xe2\x80\x9cSecurity\n     Requirements for Automated Information Systems,\xe2\x80\x9d March 21, 1988,\n     which provides the mandatory, minimum security requirements for automated\n     information systems (AISs) based on acceptable levels of risk.\n     Directive 5200.28 has several companion regulatory and procedural documents,\n     including DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\n     Certification and Accreditation Process,\xe2\x80\x9d (DITSCAP), December 30, 1997.\n\n     The DITSCAP Program. DoD Instruction 5200.40 implements DoD\n     Directive 5200.28; it prescribes procedures to accomplish policy goals and\n     establishes standards for certifying and accrediting the security of DoD systems\n     throughout their life cycle.\n\nObjectives\n     The overall audit objective was to respond to the Government Information\n     Security Reform provisions in title X, subtitle G of the FY 2001 Floyd D.\n     Spence National Defense Authorization Act (Public Law 106-398). Specifically,\n     we selected a subset of IT in the DoD and determined whether the managers had\n     implemented DoD information security policy. We did not evaluate the\n     management control program separately because the DoD recognized\n     information security and assurance programs as a material weakness in its most\n     recent Statement of Assurance. In addition, the General Accounting Office\n     (GAO) identified information security as a high risk. See Appendix A for a\n     discussion of the audit scope and methodology. See Appendix B for prior\n     coverage related to the audit objectives.\n                                          2\n\x0c                    Implementation of DoD Information\n                    Security Policy\n                    DoD managers had not fully implemented information security policy for\n                    the DISA Center- and Detachment-supported applications, as shown by\n                    the number of applications that had written, current certification and\n                    accreditation (C and A) or interim authority to operate (IATO). Written,\n                    current C and As were not available for an estimated 60 percent of\n                    applications residing on Center and Detachment computer systems. The\n                    projected point estimates to the population of 1,365 for authority to\n                    operate for the sample of 90 applications were as follows:\n\n                                                                        Projected           Percent\n                                                                         Results          of Population\n                        Current C and A or IATO                            501                 36.7\n\n                        Indeterminate: retired, transferred,\n                        insufficient detail available to find status        410               30.0\n\n                        Other technology with no C and A\n                        or IATO                                             137                10.0\n\n                        Expired C and A or IATO                              30                2.2\n\n                        No C and A or IATO, or certification\n                        only                                                288                21.1\n\n                            Total                                          1,3661              100.0\n\n                    The DoD managers had not fully implemented information security\n                    policy because definitions for system, application, and other means of\n                    establishing security parameters and responsibilities were unclear. The\n                    parameters of and responsibility for information security were further\n                    obscured by the DoD practice of approving different organizations to\n                    design, develop, manage, use, and operate IT applications. In addition,\n                    the policy proponent, the Office of the Assistant Secretary of Defense\n                    (Command, Control, Communications, and Intelligence) [ASD (C3I)];\n                    the service provider, DISA; and the Component heads provided little\n                    oversight of policy implementation or policy applicability to the current\n                    IT environment. As a result of incomplete policy implementation, DoD\n                    managers assumed risks to IT that were not fully identified, assessed,\n                    accepted, and managed as a result of a deliberative process. Unmanaged\n                    risk could lead to loss of service, data corruption, unauthorized access,\n                    sabotage, tampering, misuse, and fraud in DoD IT systems and\n                    applications.\n\n1\n    The projected point estimates do not add up to the population of 1,365 due to rounding.\n\n                                                      3\n\x0cGuidance on Information Security for AISs\n          OMB Circular A-130. The purpose of OMB Circular A-130, Revised,\n          \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d February 8, 1996,2\n          appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d is to\n          establish a minimum set of controls to be included in Federal automated\n          information security programs. Circular A-130 requires agencies to establish\n          controls that ensure adequate security for all information that is processed,\n          transmitted, or stored in Federal automated information systems. The Circular\n          also states that agencies should include controls that assign responsibility for\n          security, security planning, periodic review of security controls, and\n          management authorization.\n\n          DoD Directive 5200.28 Requirements for Accreditation Process and Security\n          Responsibility. DoD Directive 5200.28 applies to all AISs, including stand-\n          alone systems, communications systems, and computer systems of all sizes.\n          The Directive specifically states that an AIS accreditation should be\n          accomplished and supported by a certification plan, a risk analysis of the AIS in\n          its operational environment, an evaluation of the security safeguards, and a\n          certification report. The Directive also states that a Designated Approval\n          Authority (DAA) should approve the documents supporting each accreditation.\n          The DAAs should reaccredit AISs at least every 3 years or before declaring a\n          revised system operational.\n\n          In addition to the DAA approval responsibility, Directive 5200.28 assigns\n          responsibility to the DAA for acting on security deficiencies that would preclude\n          the certification process. The DAAs must review the safeguards and issue\n          certification statements for each AIS under their jurisdiction, based on the\n          acceptability of the security safeguards for the AIS.\n\n          Directive 5200.28 also establishes the responsibility of the Information System\n          Security Officer (ISSO) to monitor the AISs for security compliance, report\n          security incidents to the DAA, and maintain a plan for system security\n          improvements and the progress towards meeting certification.\n\n          DoD Instruction 5200.40, DITSCAP. The 1997 DITSCAP implements a\n          standard approach for protecting and securing DoD information systems and\n          provides procedures for accomplishing the certification and accreditation process\n          established in DoD Directive 5200.28. The DITSCAP applies during all life-\n          cycle phases to any DoD system that collects, stores, transmits, or processes\n          unclassified or classified information. The DITSCAP procedures identify four\n          life-cycle phases: definition, verification, validation, and post accreditation.\n          The DoD Instruction discusses the DAA, ISSO, program manager, and\n          certification authority as essential to the DITSCAP process.\n\n\n\n2\n    OMB issued a revised Circular A-130 November 30, 2000. The November 2000 revision did not\n    change the requirements cited here.\n\n                                                  4\n\x0cAssigning Responsibility for Information Security\n     From the sample of 90 applications, 33 applications met the minimum\n     requirements for information security programs in assigning responsibility and\n     accomplishing a current C and A or IATO. The results from the sample\n     projected to 501 applications for the population that met minimum requirements.\n\n     Responsibility for information security was not assigned for 39 sample\n     applications in four of the five C and A categories: no C and A, 2 of 19\n     applications; current C and A, 1 of 33 applications; other technology,\n     9 applications; and indeterminate, 27 applications.\n\n     Managers for two applications had not assigned DAAs or ISSOs for applications\n     falling in the no C and A category. Managers for one application in the current\n     C and A category had a DAA but no ISSO. Personnel contacted for nine\n     applications that were categorized as other technology did not identify a DAA or\n     an ISSO because the sample application did not meet the managers\xe2\x80\x99 definition of\n     a system or an application. The nine items included five data sets, one\n     database, and three software management tools. (See Appendix C for details of\n     sample items.)\n\n     For 27 of the sample applications, personnel identified as DISA customer points\n     of contact were unable to identify the application\xe2\x80\x99s DAA and ISSO or provide\n     information about the C and A. As of March 2001, DISA billed a customer for\n     each of the 27 applications. The customer points of contact reported that\n     6 applications were retired, 1 was transferred to a different service provider,\n     2 were in development, and 3 were classified. The customer points of contact\n     for 15 applications did not recognize the application for which DISA was billing\n     them as one supporting their organization or functions.\n\n     DISA could not provide further information regarding the applications, the\n     DAA and ISSO for the applications, or the C and A status. DISA did not\n     require customers to document completed DoD information security procedures\n     before accepting the customers for Center and Detachment services. DISA\n     resolutely delineated its security responsibilities for the hardware, executive\n     software, and other supporting components from the security responsibilities for\n     the customer applications.\n\n     According to OMB Circular A-130, appendix III, agency IT security programs\n     should assign responsibility for security. The Circular discusses the need to\n     assign responsibility as both a general control and as a major application\n     control. DoD Directive 5200.28 states that DoD Component Heads should\n     appoint a DAA and assign the responsibility for overall AIS security. The DAA\n     also has the responsibility to make sure that management names an ISSO for\n     each AIS.\n\n     The ISSO should implement security policy by monitoring each assigned AIS\n     for appropriate operation, use, maintenance, and disposal. The ISSO verifies\n     user qualifications for access and monitors audit trails periodically.\n\n                                         5\n\x0c    The applications that did not have a DAA or an ISSO appointed for security\n    responsibility did not meet the minimum security program requirements\n    established in OMB and DoD guidance. Approximately 40 percent,\n    547 applications (410 projected indeterminate and 137 other technology), of the\n    1,365 applications were estimated to have no appointed information security\n    officers or approval authority. In our opinion, all the IT resident on the Centers\n    and Detachments should have personnel assigned responsibility to ensure IT\n    security, based on paragraph 2.3 in DoD Directive 5200.28, which states:\n               This Directive applies to all AISs including stand-alone systems,\n               communications systems, and computer network systems of all sizes,\n               whether digital, analog, or hybrid; associated peripheral devices and\n               software; process control computers; embedded computer systems;\n               communications switching computers; personal computers; intelligent\n               terminals; word processors; office automation systems; application\n               and operating system software; firmware; and other AIS technologies,\n               as may be developed.\n\n    Although data sets, databases, and software tools are not specifically mentioned,\n    they are also not specifically exempted. Because those non-application and non-\n    system items were resident on a computer, they should have been subject to\n    security evaluation or included as a component of another AIS C and A. In\n    addition, owners and operators of applications and other IT should sufficiently\n    identify applications and other IT to provide accountability throughout its life\n    cycle, including transfer and retirement.\n\nAuthorizing AISs to Operate\n    The sample of 90 applications had 21 applications without a current C and A.\n    Managers for 7 applications had not obtained C and A or an IATO and\n    managers for 12 applications had obtained certification of the applications but\n    had not obtained an accreditation. Managers for two applications had allowed\n    the C and A or IATO to expire (C and A more than 3 years old, IATO more\n    than 1 year old).\n\n    The guidance in OMB Circular A-130, appendix III, states that one of the\n    minimum requirements for an information security program is an authorization\n    process to implement the agency security plan. The Circular asserts that\n    authorization should occur at least every 3 years.\n\n    The DoD Directive 5200.28 requires official management authorization that it\n    calls accreditation. The definition of accreditation states that authorization to\n    operate should be based on a certification process and should show that due care\n    was taken for security. The Directive specifies that reaccredidation should\n    occur before a revised system is declared operational, or every 3 years\n    regardless of revisions.\n\n\n\n\n                                            6\n\x0c     The managers of the applications that did not have a current C and A or IATO,\n     an estimated 318 (30 expired and 288 with no C and A) of the 1,365\n     applications, did not have documented evidence that they evaluated risk, planned\n     mitigating procedures, and accepted risk, or that they exercised due care\n     regarding information security.\n\nDefining the Parameters for Information Security\n     Another factor in establishing parameters, besides information technology that\n     falls outside the conceptual framework of an application or a system, is the\n     interface between applications and operating systems. Personnel for three Air\n     Force applications and nine Navy applications disagreed on who was responsible\n     for accreditation of applications. For example, the DISA Center personnel at\n     Mechanicsburg consistently described their responsibility for security as one that\n     ends at the interface point with a specific customer\xe2\x80\x99s data processing\n     application. Navy personnel at Mechanicsburg believed that, although they\n     could certify an application, only the Center personnel could accredit a system\n     because a system would include all hardware and software required to\n     accomplish a process.\n\n     However, the Navy position was not consistent with its documentation. The\n     security certification documents, prepared by the organization that developed the\n     applications, state that:\n                \xe2\x80\x9cFMSO [Fleet Material Support Office] certifies that this Application\n                has been examined for ADP [Automatic Data Processing] Security\n                safeguards in accordance with OPNAVINST 5239.1A [Navy\n                Operating Instruction] and is in compliance with proper ADP Security\n                design conventions, necessary for User Activity Accreditation\n                [emphasis added].\xe2\x80\x9d\n\n     The user activity, according to the October 13, 1993, memorandum transmitting\n     the above security statement, was the Navy Ships Parts Control Center. The\n     Center at Mechanicsburg was not an addressee for the certification statement.\n     The Air Force and the Navy personnel associated with the 12 applications\n     believed that they fulfilled their responsibility for information security when\n     application developers certified the security features designed into the\n     applications.\n\n     Other relationships among organizations can also add complexity to assigning\n     responsibility for information security. In addition to the Center with its\n     responsibility for the operating software and the hardware, an application could\n     have other organizations providing and using data, developing the application,\n     and providing the communications among the process parts. The applications\n     and other items billed for by DISA do not always have the same user and payer,\n     and the division of responsibility for security can be uncertain with multiple\n     organizations involved. The Centers, Detachments, and DISA did not maintain\n     records of customer security responsibility similar to records for customer\n     paying responsibility.\n\n                                             7\n\x0cProviding Oversight on Policy Implementation and\n  Applicability\n    Although DoD Directive 5200.28 specifically assigns oversight and review of\n    implementation of its stated policies to the ASD (C3I), the ASD (C3I) had no\n    mechanism in place to provide that oversight. Additionally, the Directive\n    assigns responsibility to DoD Component Heads, including DISA, for\n    implementing and ensuring compliance with the Directive, and for programming\n    funds and resources to support information security. The DoD Components also\n    had no mechanisms to comprehensively measure compliance with the Directive.\n\n    Mechanism to Evaluate Security Posture. In a February 9, 2001,\n    memorandum to all the Components, the ASD (C3I) stated that the DoD had\n    several vehicles in place to assess information assurance and meet the intent of\n    GISRA. However, according to the memorandum, the DoD required a means\n    of evaluating and consolidating information assurance data to report the DoD\n    information security posture. With the February memorandum, the ASD (C3I)\n    established an integrated process team to accomplish that goal.\n\n    The integrated process team developed a matrix of features about which they\n    would obtain responses from system managers. A sample of systems was\n    randomly selected from the IT Registry, the DoD subset for testing policy\n    effectiveness for the FY 2001 GISRA reporting period. The responses to the\n    matrix of questions would provide a test of the implementation of IT security\n    policy, and provide an opportunity to evaluate weaknesses in the overall DoD\n    policy. The Office of the Inspector General, DoD, and the GAO provided\n    earlier evaluations of the DoD information security policy during specific issue\n    audits and reviews.\n\n    Policy Status Based on Evaluations. The evaluations conducted by the Office\n    of the Inspector General, DoD and the GAO have repeatedly recommended\n    updating policies and procedures to provide consistent management and\n    monitoring of information security and assurance throughout the DoD. The\n    DoD received recommendations related to DoD Directive 5200.28 and DoD\n    Instruction 5200.40 in May 1996 (2 recommendations), September 1996\n    (1 recommendation), September 1997 (2 recommendations) and December 1999\n    (2 recommendations) that were open as of July 2001.\n\n    The overarching policy contained in DoD Directive 5200.28 no longer\n    corresponded with other policy and directives because it predated them. For\n    example, DoD Directive 5200.28 refers its users to DoD Directive 5010.38,\n    \xe2\x80\x9cInternal Management Control Program,\xe2\x80\x9d for independent review procedures,\n    but those procedures are found in DoD Instruction 5010.40, \xe2\x80\x9cManagement\n    Control (MC) Program Procedures,\xe2\x80\x9d August 28, 1996. Directive 5010.38 was\n    reissued August 26, 1996, and the companion Instruction 5010.40 was issued\n    August 28, 1996, resulting in a disconnect between the 1988 IT policy and other\n    DoD policy and procedures.\n\n\n\n                                        8\n\x0c    Existing Information Security Policy. Oversight on implementation of the\n    DoD information security policy should also identify the age and corresponding\n    credibility of existing DoD Directive 5200.28 companion documents. The\n    Directive refers its users to DoD 5200.28-Standard, \xe2\x80\x9cDepartment of Defense\n    Trusted Computer System Evaluation Criteria,\xe2\x80\x9d December 1985, for guidance\n    on risk assessments and associated level of trust. The Directive also refers its\n    users to DoD 5200.28-M, \xe2\x80\x9cADP Security Manual,\xe2\x80\x9d administratively reissued\n    incorporating change 1 on May 24, 1979, for guidance on marking and\n    disposition of media. The standard and the manual had not been updated for the\n    IT environment that exists in the year 2001. That environment includes\n    architectures of highly networked systems and media, such as writable compact\n    disks.\n\n    Instruction 5200.40 provides detail on what needs to be completed for a\n    certification and accreditation package, but it does not provide enough detail on\n    how to prepare the documentation required in a certification package. The\n    detailed description about how to complete the documentation required for a\n    certification package first became available July 31, 2000, when\n    DoD 8510.1-M, \xe2\x80\x9cDoD Information Technology Security Certification and\n    Accreditation Process, Application Manual,\xe2\x80\x9d was issued.\n\n    Different Assessment Tools Used for Certifying and Accrediting. Different\n    assessment tools were used to certify and accredit DoD information systems,\n    which led to delays in implementing and enforcing the DITSCAP. For\n    example, the Navy did not use the DITSCAP to certify and accredit its systems;\n    it used Navy Instruction 5239.1A, \xe2\x80\x9cDepartment of the Navy Automatic Data\n    Processing Security Program,\xe2\x80\x9d April 1, 1985. The Navy Instruction was to be\n    updated and replaced by Navy Instruction 5239.1B, which was in draft as of\n    June 2001. One of the major areas of concern to be addressed in Navy\n    Instruction 5239.1B was the oversight of information assurance. According to\n    Navy CIO personnel, the DITSCAP allows the Services to use Service-specific\n    guidance to certify and accredit their information systems.\n\n    The Air Force started using the DITSCAP, effective April 1, 2001, for\n    certifying and accrediting its information systems. Before using the DITSCAP,\n    the Air Force used Air Force System Security Instruction 5024, volume 1, \xe2\x80\x9cThe\n    Certification and Accreditation Process,\xe2\x80\x9d September 1, 1997. The Air Force\n    Instruction has the same requirements as the DITSCAP. Owners of Air Force\n    systems that were using the Air Force Instruction to certify their systems and\n    applications were allowed to continue; however, future certification and\n    accreditation will comply with the DITSCAP. We believe that moving to a\n    common evaluation tool, the DITSCAP, will help to develop common\n    terminology and parameters for information security and provide more uniform\n    levels of policy implementation.\n\nConclusion\n    Although DoD has guidance and policies on information technology security and\n    information assurance, DoD Components, including DISA, had not thoroughly\n    implemented and enforced them. Therefore, unclassified applications and other\n                                        9\n\x0c    information resources operating or residing on DISA Centers and Detachments\n    were not certified and accredited in accordance with the current DoD IT\n    guidance and policy. The absence of clearly defined responsibilities and\n    boundaries and limited oversight to maintain contemporary guidance pose\n    unidentified and unmanaged risks. Those risks include the potential for loss of\n    service, data corruption, unauthorized access, sabotage, tampering, misuse and\n    fraud involving DoD information technology systems. In addition, when\n    decisionmakers do not identify the specific risks or the magnitude of risk they\n    must manage, they cannot assign the personnel or the funds to manage the risk.\n\nManagement Comments on the Finding and Audit Response\n    Office of the Secretary of Defense Comments. The Director, Information\n    Assurance, Office of the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence), stated that the draft report made no mention\n    of DoD CIO Guidance and Policy Memorandum 6-8510, \xe2\x80\x9cDoD Global\n    Information Grid (GIG) Information Assurance and Information Assurance\n    Implementation Guide,\xe2\x80\x9d June 16, 2000, which is more contemporary guidance.\n    The Director also stated that a draft DoD Directive 8500.1, \xe2\x80\x9cInformation\n    Assurance,\xe2\x80\x9d and a draft DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance\n    Implementation,\xe2\x80\x9d have been prepared to replace both DoD Directive 5200.28\n    and Policy Memorandum 6-8510. The Directive and the Instruction should be\n    in coordination by October 2001. The Director also stated that DoD\n    Instruction 5200.40, known as DITSCAP, was being revised to better define the\n    certification and accreditation process and to address issues discussed in this\n    audit report. The new DITSCAP will be issued as DoD Instruction 8510.1 in\n    early 2002. The Director indicated that the report oversimplified in attributing\n    DoD information security deficiencies to a lack of definition for systems and\n    applications and unclear guidance. In addition, the Director did not agree that\n    DoD Directive 5200.28 applied to data sets and databases. He said that such an\n    interpretation would require all \xe2\x80\x9cfiles\xe2\x80\x9d to be certified and accredited.\n\n    Audit Response. The DoD CIO Global Information Grid guidance and policy\n    memorandum issued June 16, 2000, may not be considered binding by DoD\n    personnel. DoD Directive 5025.1, \xe2\x80\x9cDoD Directives System,\xe2\x80\x9d July 27, 2000,\n    states that, for directive-type memorandum, \xe2\x80\x9cA DoD issuance will be issued\n    within 180 days of signature of the memorandum,\xe2\x80\x9d and its predecessor guidance\n    stated within 90 days. Also, DoD Directive 8500.1 and DoD Instruction 8500.2\n    were to have been completed by May 2001. Although current and clear\n    guidance does not guarantee that the guidance will be followed, it is a\n    prerequisite for effective implementation and oversight, and provides further\n    assurance that responsible personnel are certifying and accrediting their systems\n    and applications consistently. In addition, we do not advocate the certification\n    and accreditation of files; however, any item resident on a computer represents\n    a vulnerability and should be identified with a system or application that has\n    been certified and accredited. During our audit, data sets and databases could\n    not be traced back to applications that had been certified and accredited.\n\n    DISA Comments. DISA agreed that more vigilance is needed to ensure a\n    secure information technology environment. DISA stated that it had taken a\n                                       10\n\x0c    number of proactive steps to ensure that its support to the Services and Defense\n    agencies and, ultimately, the warfighter meet this requirement. DISA stated that\n    information security is a shared responsibility and that DISA partners with its\n    customers and vendors to accomplish the requirements of GISRA.\n\nRecommendations, Management Comments and Audit\n  Response\n    1. We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence):\n\n           a. Define systems, applications, networks, and other terminology so\n    boundaries and interfaces can be clearly established and comprehensive\n    information security responsibility can be assigned. The definitions should\n    also provide guidance on the applicability of information security to\n    information technology items, such as data sets, databases, and software\n    management tools.\n\n           b. Use the data collection effort designed in response to the\n    reporting requirements of the Government Information Security Reform\n    Act to identify information security policy and programs that are omitted,\n    obsolete, or confusing, and expeditiously modify or update the policy and\n    programs as needed.\n\n    Management Comments. The Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) [ASD(C3I)] did not specifically\n    respond to the recommendations. Therefore, we request that the ASD(C3I)\n    provide comments to recommendations in response to the final report.\n\n    2. We recommend that the Chief Information Officers for the Army, Navy,\n    Air Force, the Defense Finance and Accounting Service, and the Defense\n    Logistics Agency:\n\n            a. Use the data collected in response to the Government Information\n    Security Reform Act to identify weaknesses, such as expired accreditations,\n    in their Component information security programs so they can provide\n    resources to improve the programs.\n\n          b. Coordinate information security efforts for applications and other\n    information technology with service providers, such as the Defense\n    Information Systems Agency, to include clearly designated security and\n    approval officials.\n\n   Army Comments. The Army concurred with Recommendations 2.a. and 2.b.\n   The Army is implementing the DITSCAP as the standard for all its information\n   systems. The Army\xe2\x80\x99s information assurance professionals at all levels are\n   involved in the DITSCAP process, not only for applications that run on Defense\n   Enterprise Computing Centers, but also for all information systems. The Army\n   recommended to the Government Information Security Reform working group\n\n                                       11\n\x0cthat DoD make the development of better definitions a high priority requirement\nand that revisions to the DITSCAP application manual specifically address\ncertification and accreditation requirements for applications and other entities.\nThe Army suggested that DoD consider registering Defense Enterprise\nComputing Centers\xe2\x80\x99 applications in the IT registry database. In August 2001, the\nArmy directed that responsible personnel for all systems and applications\ncurrently in the IT registry review and update all required identifying data. In\naddition, the Army will recommend to the ASD(C3I) that additional information\nsecurity data fields be added to the IT registry database.\n\nAudit Response. The Army\xe2\x80\x99s suggestion for registering DECC applications on\nthe IT registry has merit. Office of Inspector General, DoD, Report No. D-\n2001-175, August 22, 2001, discusses more wide-ranging use of the IT registry\ndatabase.\nNavy Comments. The Navy did not comment on a draft of this report.\nTherefore, we request that the Chief Information Officer for the Navy provide\ncomments to the final report.\n\nAir Force Comments. The Air Force concurred with Recommendations 2.a.\nand 2.b. The Air Force will incorporate Government Information Security\nReform data fields into the Air Force System Compliance Database, which will\ntrack Air Force systems for certification and accreditation and GISRA\nrequirements. The Air Force has collected similar data, in support of GISRA,\nwhich yielded similar findings. The acting CIO for the Air Force made\ninformation security a priority by putting together a tiger team of Air Force\nexperts to construct and guide the Air Force\xe2\x80\x99s implementation of an information\nassurance strategy. The Air Force strategy will be a collaborative effort with\nexternal agencies, including DISA and the Office of the Secretary of Defense.\n\nDefense Logistics Agency Comments. The Defense Logistics Agency\nconcurred with Recommendations 2.a. and 2.b. The Defense Logistics Agency\nstated that it would include weaknesses identified in response to GISRA in its\nAnnual Statement of Assurance. It also stated that those weaknesses were\nincluded in its Information Assurance Program Plan and System Security\nAuthorization Agreements for systems, networks, and websites. Furthermore,\nthe Defense Logistics Agency planned or implemented schedules to mitigate\nthose security weaknesses. It developed System Security Authorization\nAgreements in accordance with DoD Instruction 5200.40 for all five of the\nsystems selected for review in this audit. One system was certified, accredited,\nand issued approval to operate on July 29, 2001; two are currently being\ncertified with approval to operate planned for September 2001; and the\nremaining two should achieve approval to operate in November 2001. In\naddition, the Defense Logistics Agency information security efforts have been\ncoordinated as part of service level agreements and memoranda of agreement.\n\nDefense Finance and Accounting Service Comments. We received comments\nfrom the Defense Finance and Accounting Service too late to be included in the\nfinal report. However, management concurred with the recommendations. The\n\n\n                                    12\n\x0cdraft report comments will be treated as the comments to the final report unless\nthe Defense Finance and Accounting Service wants to provide additional\ncomments on the final report.\n\n3. We recommend that the Commander, Defense Information Systems\nAgency, Western Hemisphere:\n\n        a. Coordinate information security efforts with customers to obtain\ntheir statements of approval to operate when beginning service\narrangements and periodically thereafter.\n\n       b. Maintain a resource listing of officials responsible for information\nsecurity for each customer of the Defense Enterprise Computing Centers\nand Detachments. Those officials should be contacted if their application is\nthe source of security risks or affected by other customer or Defense\nEnterprise Computing Centers risks.\n\n       c. Establish a monitoring process and performance goal for Defense\nEnterprise Computing Centers to document current certifications and\naccreditations, interim authority to operate, and the designated approval\nauthority and information systems security officer for all customers by the\nend of the FY 2002 Government Information Security Reform reporting\nperiod.\n\nManagement Comments. DISA concurred with Recommendation 3.a. DISA\nspecifies in each service level agreement that the customer is responsible for the\nsystem or application certification and accreditation. In the future, the customer\nwill be asked to document that the systems or applications are certified and\naccredited, or the steps taken to accomplish certification and accreditation, along\nwith a schedule for completion. The customer will also be asked to identify the\nrisks that the customer assumed to implement the work prior to completing the\ncertification and accreditation process. That guidance will be transmitted to\nDISA Headquarters and field activities through a policy letter by October 1,\n2001.\n\nDISA concurred with Recommendation 3.b. DISA stated that all operational\nsites currently maintain the names and contact information for functional points\nof contact for all applications that run on systems at the Defense Enterprise\nComputing Centers and Detachments. The points of contact interface between\nthe customers, the Defense Enterprise Computing Center, and the Detachments\nto address operational problems. If a security-related issue occurs, site\npersonnel of DISA Western Hemisphere coordinate through the customer\xe2\x80\x99s\nfunctional point of contacts to resolve the problem with the customer\xe2\x80\x99s\nfunctional and security personnel.\n\nDISA nonconcurred with Recommendation 3.c. DISA stated that the Office of\nthe Secretary of Defense is responsible for this policy issue because the Office\nof the Secretary of Defense is in the position to require the Services and DoD\nagencies to update and maintain their portion of the information security\nrecords. DISA supports having a central repository for DAA information for\n\n                                    13\n\x0capplications and major systems. DISA recommends that either a central\nrepository be developed or that the IT registry be expanded to maintain the data\nat the Office of the Secretary of Defense level.\n\nAudit Response. Although DISA concurred with Recommendation 3.b., the\naudit found gaps in the process described. The audit identified the Defense\nEnterprise Computing Center points of contact. However, as stated in this\nreport, for 27 of the sample applications, DISA customer points of contact were\nunable to identify the application\xe2\x80\x99s DAA and ISSO or provide information about\ncertification and accreditation. Further, for 15 applications, the customer points\nof contact did not recognize the applications for which DISA was billing them as\none supporting their organization or functions. The DISA actions on\nRecommendation 3.a. should result in identifying customer points of contact that\nare aware of and maintain the appropriate information security data.\nWith respect to Recommendation 3.c., we agree that the Office of the Secretary\nof Defense has a principal role in issuing the policy to require the Services and\nDefense agencies to provide the information. However, as DISA acknowledges\nin its response, information security is a shared responsibility and DISA must\npartner with various parties to ensure that the requirements of information\nsecurity are met. In our opinion, DISA has an essential role to monitor\ninformation collection on current certifications and accreditations, the interim\nauthority to operate, and the designated approval authority and information\nsystems security officer for all customers. In response to the final report, we\nrequest that DISA reconsider its position on establishing a monitoring process.\n\n\n\n\n                                    14\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. In February 2001, we selected a subset of applications, as\n    required by the GISRA. Our subset of systems was independent from the\n    sample that DoD selected in April from the IT Registry database. We selected\n    our sample from items residing on and billed by Centers and Detachments, a\n    listing obtained in response to our request for applications operating at Centers\n    and Detachments. Operations research analysts aggregated the population of\n    4,939 billable line items to 1,365 items based on unique names. The operations\n    research analysts then selected a simple random sample of 90 applications. Of\n    the 90 sample items from the Center population, 31 also occurred in the IT\n    Registry population.\n\n    We interviewed personnel and reviewed information security documentation\n    from DISA Centers and Detachments, as well as the Navy, Marine Corps,\n    Army, Air Force, Defense Finance and Accounting Service, and Defense\n    Logistics Agency.\n\n    We analyzed DoD Directives, Instructions, and other guidance to determine\n    whether information assurance and security policies and procedures were clear,\n    comprehensive, and consistent with Federal policy and one another. We\n    compared certification and accreditation documentation to DoD and Component\n    guidance for determining compliance. See Methodology for details of the\n    sample selected from the Center and Detachment population of applications.\n\n    Limitations to Scope. We did not review the management control program\n    because DoD recognized information security and assurance programs as a\n    material weakness in its FY 1999 Statement of Assurance, which was its most\n    recent signed Statement of Assurance.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    Coverage. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goals, and performance measures. This report pertains\n    to achievement of the following corporate level goal and performance measure.\n\n        \xe2\x80\xa2   FY 2001 DoD Corporate Level Goal 2: Prepare now for an uncertain\n            future by pursuing a focused modernization effort that maintains U.S.\n            qualitative superiority in key warfighting capabilities. Transform the\n            force by exploiting the Revolution in Military Affairs, and reengineer the\n            Department to achieve a 21st century infrastructure. (01-DoD-02)\n\n        \xe2\x80\xa2   FY 2001 Performance Measure 2.5.3: Qualitative Assessment of\n            Reforming Information Technology (IT) Management. (01-DoD-2.5.1.).\n\n\n                                        15\n\x0c    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objective and\n    goal.\n\n           Information Management Functional Area. Objective: Ensure\n           DoD\xe2\x80\x99s vital information resources are secure and protected.\n           Goal: Make Information Assurance (IA) an integral part of DoD\n           Mission Readiness Criteria. (IM-4.1)\n\n    GAO High-Risk Area. The GAO lists information assurance as a high-risk\n    area. Although the Secretary of Defense annually establishes DoD-wide\n    corporate level goals and performance measures to address the requirements of\n    the Government Performance and Results Act, the DoD does not currently\n    provide corporate level goals for information assurance.\n\nMethodology\n    To assess the information technology security posture of DoD, we selected a\n    random sample of applications from a subset of systems. For those\n    applications, the objective was to identify security personnel, such as the ISSO\n    and the DAA, and to determine whether the applications had a C and A or an\n    IATO. We constructed a spreadsheet in which to compile and analyze results\n    from our subset of systems.\n\n    Use of Computer-Processed Data. Computer-generated information was the\n    source for selecting the subset, but was not used as evidence in a finding.\n\n    Universe and Sample. We defined applications operating or residing on the\n    DISA Centers and Detachments as our subset of systems, the universe for this\n    sample. In response to our request for DISA supported-applications, DISA\n    Western Hemisphere provided a listing of 4,939 applications on Center and\n    Detachment systems that were billed to customers. Analysis of the\n    4,939 applications determined that multiple occurrences of the same names\n    appeared. Operations research analysts from the Quantitative Methods\n    Division, Office of the Assistant Inspector General for Auditing, aggregated the\n    list based on unique-named applications, which left 1,365 applications. The\n    analysts then generated a simple random sample of 90 applications.\n\n             Measurement Issues. The listing of applications that DISA Western\n    Hemisphere provided consisted of every line item billed by DISA. Some items\n    were not, in fact, applications, but space on the network that customers must\n    pay to use. Inactive or unacknowledged applications were also found, so the\n    sample items could not be tested for the attributes demonstrating security policy\n\n\n\n\n                                        16\n\x0cimplementation. See Appendix C for details of the 90 sample applications. The\nsample results categories and the number of applications in each category are\nshown below:\n\n                           Table A1. Sample Results by Certification and\n                              Accreditation Status Category\n\n                    Category                                                 Sample Result\n\nCurrent C and A or IATO                                                           33\nOut of Date C and A or IATO                                                        2\nNo C and A and no IATO, or incomplete                                             19\nOther IT                                                                           9\nUnable to test the C and A and IATO status                                        27\n Total                                                                            90\n\n         Measurement Results. The operations research analysts projected\nthese sample results to the subset universe of 1,365 applications using a\n90 percent confidence level. The results shown in the report are the point\nestimates projected. The complete results of the projections are shown below:\n\n                    Table A2. Certification and Accreditation Status\n                      Projected to the Population of Applications\n\n                                             Lower                  Point1              Upper\n                  Category                   Bound                 Estimate             Bound\n\nCurrent C and A or IATO                        383                    501                    618\nOut of date C and A or IATO                     --2                    30                     72\nNo C and A and no IATO, or\nincomplete (certification only)                187                    288                    389\nOther IT                                        60                    137                    213\nUnable to test the C and A and\nIATO status                                    297                    410                    522\n\n1\n    The point estimate does not add up to the population due to rounding.\n2\n    The lower bound estimate is below zero, therefore, it is not reported.\n\n\nUse of Audit Assistance. The Air Force Audit Agency and the Army Audit\nAgency gathered and analyzed data for those sample items that belonged to\ncustomers within their respective Component. The Air Force Audit Agency\ngathered and analyzed data for 19 sample items, and the Army Audit Agency\ngathered and analyzed data for 34 sample items. The data were merged into a\ncommon spreadsheet for interpretation of the overall sample results.\n\n\n                                              17\n\x0cUse of Technical Assistance. One computer engineer from the Technical\nAssessment Division, Office of the Assistant Inspector General for Auditing,\nassisted in planning the audit. In addition, two operations research analysts\nfrom the Quantitative Methods Division, Office of the Assistant Inspector\nGeneral for Auditing, assisted in selecting the random sample from the subset of\napplications and interpreting the results.\n\nAudit Type, Dates, and Standards. We conducted this program audit from\nJanuary through July 2001, in accordance with generally accepted Government\nauditing standards, except that we did not have time to independently retest or\nvalidate the audit work of the Army Audit Agency and the Air Force Audit\nAgency. In addition, we were unable to obtain an opinion on our system of\nquality control. Our most recent external quality control review was withdrawn\non March 15, 2001, and we will undergo a new review.\nContacts During the Audit. We visited or contacted individuals and\norganizations within the DoD. Further details are available upon request.\n\n\n\n\n                                   18\n\x0cAppendix B. Prior Coverage\n\nGAO\n      GAO Report No. GAO-01-525, \xe2\x80\x9cInformation Technology: Architecture Needed\n      to Guide Modernization of DoD\xe2\x80\x99s Financial Operations,\xe2\x80\x9d May 17, 2001\n\n      GAO Report No. GAO-01-307, \xe2\x80\x9cInformation Security: Progress and Challenges\n      to an Effective Defense-wide Information Assurance Program,\xe2\x80\x9d March 30, 2001\n\n      GAO Report No. GAO-01-341, \xe2\x80\x9cInformation Security: Challenges to Improving\n      DoD\xe2\x80\x99s Incident Response Capabilities,\xe2\x80\x9d March 29, 2001\n\n\nInspector General, DoD\n      Inspector General, DoD, Report No. D-2001-044, \xe2\x80\x9cAccreditation Policies and\n      Information Technology Controls at the Defense Enterprise Computing Center\n      Mechanicsburg,\xe2\x80\x9d February 9, 2001\n\n      Inspector General, DoD, Report No. D-2001-017, \xe2\x80\x9cUnclassified but Sensitive\n      Internet Protocol Router Network Security Policy,\xe2\x80\x9d December 12, 2000\n\n      Inspector General, DoD, Report No. D-2001-016, \xe2\x80\x9cSecurity Controls Over\n      Contractor Support For Year 2000 Renovation,\xe2\x80\x9d December 12, 2000\n\n      Inspector General, DoD, Report No. D-2000-124, \xe2\x80\x9cInformation Assurance\n      Challenges \xe2\x80\x93 A Summary of Audit Results Reported December 1, 1998,\n      Through March 31, 2000,\xe2\x80\x9d May 15, 2000\n\n      Inspector General, DoD, Report No. 99-069, \xe2\x80\x9cSummary of Audit Results \xe2\x80\x93\n      DoD Information Assurance Challenges,\xe2\x80\x9d January 22, 1999\n\n\n\n\n                                       19\n\x0cAppendix C. Sample Application Results\n   From the randomly selected sample of 90 applications operating or residing on\n   DISA Centers and Detachments, the points of contact for 54 applications\n   acknowledged the applications. For those 54 applications, the status was as\n   follows:\n\n      \xe2\x80\xa2   6 had current C and As,\n\n      \xe2\x80\xa2   27 had current IATOs,\n\n      \xe2\x80\xa2   1 had an expired C and A,\n\n      \xe2\x80\xa2   1 had an expired IATO,\n\n      \xe2\x80\xa2   12 had certifications and no accreditation (grouped with no C and A in\n          finding),\n\n      \xe2\x80\xa2   7 did not have a C&A, an IATO, or a certification without an\n          accreditation.\n\n   For the 54 applications discussed above, managers for 52 had assigned a DAA\n   and for 51 had assigned an ISSO. A summary of the results appears in the table\n   on the following pages.\n\n   The table also lists the items that did not meet the criteria for applications and\n   the reason the items did not fit. From the randomly selected sample of 90, the\n   using or bill paying customer identified 9 sample items as other information\n   technology residing on Center systems. The DISA customer points of contact\n   for 15 sample items did not recognize the application name as one supporting\n   their functions or as a segment of a larger application supporting their functions.\n   Therefore, the status of those items for security officials and security procedures\n   was undetermined. Also, the status of applications for C and A or IATO could\n   not be established as follows: 6 retired, 3 classified, 2 unfielded (in\n   development), and 1 transferred to a non-DISA service provider. A summary\n   of the results appears in the table on the following pages.\n\n\n\n\n                                       20\n\x0c21\n\x0c22\n\x0c23\n\x0c24\n\x0c25\n\x0cACALA     U.S. Army Armament and Chemical Acquisition and\n                Logistics Agency\nAFMC      Air Force Materiel Command\nCECOM     Communications Electronics Command (Army)\nCert.     Certification\nCSC-StL   Computer Science Corporation \xe2\x80\x93 St. Louis\nDE        Denver\nDFAS      Defense Finance and Accounting Service\nDLA       Defense Logistics Agency\nFMSO      Fleet Materiel Supply Office\nHROC      Human Resource Operations Center\nHQ        Headquarters\nAF/IL     Headquarters Air Force, Deputy Chief of Staff for\n                Installations and Logistics\nILSP      Integrated Logistics Support Program\nITS       Integrated Technology Security\nJ-64      DLA Enterprise Business Systems, Directorate J-64\nKC        Kansas City\nLOGSA     Logistics Support Activity (U.S. Army Materiel Command)\nLSSO      Logistics Systems Support Office\nLG        Defense Communications Systems/Logistics\nMCLBASE   Marine Corps Logistics Base\nMSG       Materiel Systems Group (Air Force)\nNAVICP    Naval Inventory Control Point\nOPLOC     Operating Location\nOSC       U.S. Army Operations Support Command\n\n\n\n\n                        26\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense (Deputy Chief Information Officer)\n  Director, Defense-Wide Information Assurance Program\n\nDepartment of the Army\nChief Information Officer, Department of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Manpower and Reserve Affairs)\nCommandant, Marine Corps\nNaval Inspector General\nAuditor General, Department of the Navy\nNavy Chief Information Officer\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\n\nOther Defense Organizations\nInspector General, Defense Intelligence Agency\nDirector, Defense Logistics Agency\nDirector, Defense Finance and Accounting Service\n   Chief Information Officer\nInspector General, Defense Information Systems Agency\n\n\n\n\n                                         27\n\x0cNon-Defense Federal Organization\nOffice of Management and Budget\nGeneral Accounting Office\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         28\n\x0cAssistant Secretary of Defense (Command,\nControl, Communications, and\nIntelligence) Comments\n\n\n\n\n                      29\n\x0c30\n\x0cDepartment of the Army Comments\n\n\n\n\n                    31\n\x0c32\n\x0cDepartment of the Air Force Comments\n\n\n\n\n                     33\n\x0c34\n\x0cDefense Information Systems Agency\nComments\n\n\n\n\n                      35\n\x0c36\n\x0c37\n\x0c38\n\x0cDefense Logistics Agency Comments\n\n\n\n\n                      39\n\x0c40\n\x0c41\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nMary L. Ugone\nRobert K. West\nJudith I. Padgett\nWalter L. Jackson\nBryon J. Farber\nHeather L. Jordan\nSetranique T. Clawson\nMandy L. Rush\nRichard O. Williams\nHenry D. Barton\nDharam V. Jain\nAnn Ferrante\nJacqueline N. Pugh\n\x0c'